METHOD AND SYSTEM FOR PREVENTING LOWER-LAYER LEVEL ATTACKS IN A NETWORK

US 20110055571A1
Filed: 08/23/2010
Published: 03/03/2011
Est. Priority Date: 08/24/2009
Status: Abandoned Application

First Claim

Patent Images

1. A method for preventing lower-layer level attacks committed against entities in a network, comprising:

forming a secure peer group (SPG) of member entities in the network, wherein each of the member entities is configured with a media access control (MAC) address locked to its own identity and a Internet protocol (IP) address linked to its MAC address;

establishing a secure handshake between at least a source member entity and a target member entity of the SPG by mutually authenticating the source member entity and the target member entity; and

securely transferring data from the source member entity to the target member entity.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for preventing lower-layer level attacks committed against entities in a network. The method comprises forming a secure peer group (SPG) of member entities in the network, wherein each of the member entities is configured with a media access control (MAC) address locked to its own identity and a Internet protocol (IP) address linked to its MAC address; establishing a secure handshake between at least a source member entity and a target member entity of the SPG by mutually authenticating of the source member entity and the target member entity; and securely transferring data from the source member entity to the target member entity.

Citations

26 Claims

1. A method for preventing lower-layer level attacks committed against entities in a network, comprising:
- forming a secure peer group (SPG) of member entities in the network, wherein each of the member entities is configured with a media access control (MAC) address locked to its own identity and a Internet protocol (IP) address linked to its MAC address;
  
  establishing a secure handshake between at least a source member entity and a target member entity of the SPG by mutually authenticating the source member entity and the target member entity; and
  
  securely transferring data from the source member entity to the target member entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein establishing the secure handshake further comprises:
    - exchanging public keys, where the public keys are selected from a public key infrastructure (PKI);
      
      securely exchanging identities between the source member entity and the target member entity, wherein the identities are encrypted using said public keys;
      
      exchanging challenge numbers to be used during the mutual authentication, wherein the challenge numbers are encrypted; and
      
      by each member entity, verifying the received information and authenticating the identity of the member entity from which the information is received.
  - 3. The method of claim 2, wherein the identity of an entity member comprises at least:
    - the member entity'"'"'s MAC addresses locked to its identity, the member entity'"'"'s IP address linked to the MAC address, and the public key of the member entity.
  - 4. The method of claim 2, wherein mutually authenticating the member entities further comprises:
    - by each member entity, verifying a received challenge number; and
      
      responding with a new challenge number.
  - 5. The method in claim 2, wherein establishing the secure handshake further comprises:
    - exchanging session keys between the source member entity and the target member entity.
  - 6. The method of claim 1, wherein the network is at least one of:
    - a local area network (LAN), an enterprise network, a metro area network (MAN), a wide area network (WAN), and the Internet.
  - 7. The method of claim 1, wherein lower-layer level attacks include attacks performed using at least an Ethernet Layer.
  - 8. The method of claim 7, wherein lower-layer level attacks include attacks performed using one of an Internet protocol (IP) Layer and a transport Layer.
  - 9. The method of claim 1, wherein securely transferring data from the source member entity to the target member entity further comprises:
    - preparing an add-on to each data packet to be transferred;
      
      combining the add-on with the data packet to form a new data packet;
      
      encrypting the new data packet using a security key belonging to the target member entity to form an encrypted new data packet; and
      
      sending the encrypted new data packet to the target member entity.
  - 10. The method of claim 9, further comprises:
    - decrypting the received encrypted new data packet to extract the new data packet using the security key of the target member entity;
      
      verifying the authenticity of the source member entity using the add-on included in the received new data packet;
      
      accepting the received new data packet if the source member entity is verified; and
      
      rejecting the received new data packet if the source member entity is not verified.
  - 11. The method of claim 10, further comprises:
    - when the source member entity is not verified, requesting to resend the data packet from the source member entity; and
      
      informing a management entity of a possible attack.
  - 12. The method of claim 9, wherein the add-on comprises a hash of at least a few bits of challenge response received and the data in the data packet to be sent by the source member entity.
  - 13. The method in claim 9, wherein encrypting the new data packet is performed using a session key supplied by the target member entity during the secure handshake.
  - 14. A non-transitory computer readable medium having stored thereon instructions for causing one or more processing units to execute the method according to claim 1.

15. A system for preventing lower-layer level attacks committed against entities in a network, comprising:
- a plurality of member entities connected to a network, wherein the plurality of member entities are part of a secure peer group (SPG), each of the plurality of the member entities is configured with a media access control (MAC) address locked to its respective identity and with a unique identification;
  
  a secure server for verifying legitimacy of a member entity requesting an Internet protocol (IP) address and upon verification assigning an IP address to the member entity, wherein the IP address is linked to a MAC address of the entity member;
  
  at least a source member entity which is a member of the SPG; and
  
  at least a target member entity which is a member of the SPG, wherein the source member entity establishes a secure handshake with the target member entity and securely transfers data to the target member entity.
- View Dependent Claims (16)
- - 16. The system of claim 15, wherein said network is one of:
    - a local area network (LAN), a wide area network (WAN), a metro area network (MAN), and the Internet.

17. A method for providing packet level security during data transfer between a source member entity and a target member entity belonging to a secure peer group (SPG), comprising:
- preparing an add-on to each data packet to be transferred;
  
  combining the add-on with the data packet to form a new data packet;
  
  encrypting the new data packet using a security key belonging to the target member entity to form an encrypted new data packet; and
  
  sending the encrypted new data packet to the target member entity.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 18. The method of claim 17, further comprises:
    - decrypting the received encrypted new data packet to extract the new data packet using the security key of the target member entity;
      
      verifying the authenticity of the source target entity using the add-on included in the received new data packet;
      
      accepting the received new data packet if the source member entity is verified; and
      
      rejecting the received new data packet if the source member entity is not verified.
  - 19. The method of claim 18, further comprises:
    - when the source member entity is not verified, requesting to resend the data packet from the source member entity and informing a management entity of a possible attack.
  - 20. The method of claim 19, wherein each member entity is configured with a media access control (MAC) address locked to its own identity and an Internet protocol (IP) address linked to its MAC address.
  - 21. The method of claim 17, wherein the add-on comprises a hash of at least a few bits of challenge response received during a mutual authentication process between the source member entity and the target member entity, and the data in the data packet to be sent by the source member entity.
  - 22. The method in claim 17, wherein the security key is a public key selected from a public key infrastructure (PKI).
  - 23. The method in claim 17, wherein encrypting the new data packet is performed using a session key supplied by the target member entity during the handshake process.
  - 24. The method of claim 17, wherein combining the add-on with the data packet further comprises:
    - sending the add-on in a separate data packet.
  - 25. The method of claim 17, further comprises:
    - performing at least one of;
      
      signing, authenticating and encrypting the new data packet.
  - 26. The method of claim 17, wherein the security key further includes a key selected from a group of keys or a mater key, wherein the group of keys or the mater key can be identified by a firewall in a network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Yoel Gluck
Original Assignee
Yoel Gluck
Inventors
GLUCK, Yoel

Application Number

US12/861,559
Publication Number

US 20110055571A1
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0869   for achieving mutual authen...

H04L 63/1441   Countermeasures against mal...

H04L 63/162   at the data link layer

H04L 9/0825   using asymmetric-key encryp...

H04L 9/3263   involving certificates, e.g...

H04L 9/3273   for mutual authentication n...

METHOD AND SYSTEM FOR PREVENTING LOWER-LAYER LEVEL ATTACKS IN A NETWORK

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR PREVENTING LOWER-LAYER LEVEL ATTACKS IN A NETWORK

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links